Penetration Testing
Oracle Application Express / Password hashes Feb 20 2013 11:34AM
Guillaume Lopes (isec gls gmail com) (1 replies)
Re: Oracle Application Express / Password hashes Feb 20 2013 12:58PM
Per Thorsheim (per thorsheim net)
Passwords are stored as salted MD5 values according to
programming4.us/database/8126.aspx

What you need after extracting the hash values is to use a password
cracker that handles Oracle specific salted MD5. Both John the Ripper &
Hashcat can do that:

www.hashcat.net
www.openwall.com/john/

Both have forums where you can ask for help. There are also commercial
services on top of these freeeware tools to help you out, eventually to
speed up the process.

Best regards,
Per Thorsheim
http://securitynirvana.blogspot.com/

Den 20.02.2013 12:34, skrev Guillaume Lopes:
> Hello all,
>
> I have to crack password hashes from an Oracle application (APEX). The
> version is APEX 4.0.
>
> I have found documentation saying that password hashes are the
> concatenation of the username, the password and the security groupd id
> since APEX 3.0.
>
> Do you know a tool or another way to retrieve clear passwords from hashes ?
>
> I tried to use Repscan but the free trial seems to have a bug.
>
> Regards,
> Guillaume
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus